This week marks the start of the Payment Card Industry Security Standard Council (PCI SSC) European Community meeting in Edinburgh. And for those of you not familiar with this body, it is the 'keeper' of the standard that is the Payment Card Industry Data Security Standard (PCI DSS).
Now its fair to say that the aforementioned standard hardly roles of the tongue. It certainly lacks the punchiness and simplicity of 'Chip and Pin' which is a security measure that as consumers we are all now familiar with.
However, the fact of the matter is that PCI DSS is arguably the unsung hero of cyber security as it is applied to most SME businesses and possibly many large enterprises too, especially where retail and hospitality are concerned. It garners virtually zero visibility from he mainstream media, even when it has arguably saved the day where large data breaches are concerned.
For example you may recall that when TalkTalk were in the news almost a year ago to the week, Dido Harding implied that the company had done all it had been obligated to do where protecting consumers data was concerned. In other words it was doing what PCI DSS had demanded of it, but when all said and done that was as far as it went.
For the best part of 12 years now, any one taking card payments, anywhere in the world has been required to be PCI DSS compliant. This mandate has been applied via acquiring banks, who themselves enforce the mandate on their merchant customers. Those taking the greatest number of card payments are required to undergo annual audits and at the other end of the scale, where far fewer cards are processed, businesses can self assess.
Now its worth noting that the requirement for self validation is at the discretion of the acquiring banks and that outside of the US and the UK, there is very little evidence of that happening.
Whilst the Nordic region has been very PCI DSS savvy, the UK is the only European country where acquiring banks have universally implemented compliance programs that address the requirement from the largest enterprises to the smallest SMEs. And whilst some SMEs have yet to fully embrace the standard, few will be oblivious of their need to comply with a data security standard associated with the protection of a data asset, albeit only that relating to card payments.
This represents a common and consistent foundation, which should in turn provide UK businesses with a unique head start on GDPR, especially when compared to its European neighbours.
OK, so we have BREXIT to negotiate, however GDPR will apply to any business maintaining Personally Identifiable Information (PII) relating to EU citizens and its my guess that even post BREXIT the UK will not want to stand out for a relaxed take on data protection !
If cybersecurity breaches stay at last year’s levels, the fines paid to the European regulator could be 90 times higher, up to £122 billion. Large businesses could see fines up to £70 billion, or a 130-fold increase. “The new EU legislation will be an absolute game-changer for both large organisations and SMEs,” says Jeremy King, International Director at PCI Security Standards Council. “The regulator will be able to impose a stratospheric rise in penalties for security breaches, and it remains to be seen whether businesses facing these fines will be able to shoulder the costs.” “Companies, both large and small, need to act now and start putting in place robust standards and procedures to counter the cybersecurity threat, or face the prospect of paying astronomical costs in regulatory fines and reputational harm to their brand.”